[00:00.620 --> 00:05.920]  Hi folks, welcome to Lock Bypass Village and to my talk all about physical reconnaissance.
[00:05.920 --> 00:11.080]  So this is going to be a fairly low-tech talk. It's all about how we can use our human senses
[00:11.560 --> 00:17.860]  and our eyes to walk around and tell as much information as we can about a physical facility
[00:17.860 --> 00:26.320]  before we ever actually step inside. So I gave a different version of this talk at HOPE a few
[00:26.320 --> 00:34.300]  weeks ago. That one is a little bit more formal on sort of the architectural plans and inferences
[00:34.300 --> 00:41.160]  there. This one will be taking a more red team perspective. It's got a lot of new examples that
[00:41.160 --> 00:44.300]  weren't in the other one, as well as a lot of content that was cut. So I'm going to try to be
[00:44.400 --> 00:48.980]  a little bit faster with this one and take advantage of the more intimate environment
[00:48.980 --> 00:55.180]  that a DEFCON Village gives to make this talk all about the Q&A afterwards and having some
[00:55.180 --> 01:04.420]  interesting discussion. So to get started with the basic information. Intelligence follows a cycle.
[01:04.420 --> 01:09.620]  So we collect information, we analyze it into usable intelligence, and that's going to determine
[01:09.620 --> 01:14.800]  if we need to then collect more to decide ultimately what our course of action is. So
[01:14.800 --> 01:19.400]  that's the end goal that we need to keep in mind while we're collecting this information.
[01:20.860 --> 01:25.460]  Reconnaissance is something that we want to do of our physical facility, of course, but we're
[01:25.460 --> 01:30.920]  going to start with the area of influence, both physical and political. So looking at nearby
[01:30.920 --> 01:37.180]  streets, nearby shops, looking at nearby utilities, etc. As well as if the organization has multiple
[01:37.180 --> 01:43.380]  facilities, what are those facilities like? Do they have... well, they usually will have very
[01:43.380 --> 01:51.580]  similar layouts and usages and security situations there. And we want to observe at a range of times,
[01:51.580 --> 01:57.680]  day and night, week and weekend, and normal operation and during an anomaly to get a sense
[01:57.680 --> 02:04.260]  of how the organization handles that. We want to look at the people as well as the facility. So
[02:04.260 --> 02:09.380]  when are they entering? What the general demographic is? We can keep track of how many
[02:09.380 --> 02:15.020]  enter and leave at each time to get a sense of the occupancy of the building at a particular time.
[02:15.020 --> 02:19.480]  We want to look at what entrances and exits they use, as well as any security steps that they take
[02:19.480 --> 02:26.920]  inside, such as keys and credentials, and if they sign in or do anything else on entry.
[02:27.780 --> 02:34.020]  We can then go up to the main entrance and look at all the information we can get from that. So
[02:34.020 --> 02:39.780]  this particular picture is very telling. We can see the fire panel off to the side. You can get
[02:40.000 --> 02:43.940]  a very good sense of the occupancy and layout of the building from all the different fire zones
[02:43.940 --> 02:48.680]  that are going to exist. We have our fire safety plan blocks here telling us that this is the main
[02:48.680 --> 02:55.000]  entrance. We look at all the ways that are access controlled on this building. So there are a number
[02:55.000 --> 03:04.020]  of keypads, a credential reader, a doorbell, a video doorbell, and a different one used at night
[03:04.020 --> 03:09.660]  apparently. We can see the elevators through in this lobby, so we know exactly how to get to those,
[03:09.660 --> 03:14.560]  and we can infer that the hallway is going to go perpendicular to that, which makes sense given the
[03:14.560 --> 03:19.820]  layout of this building. We can notice these magnetic contact sensors there, so that gives
[03:19.820 --> 03:23.160]  us an indication that we're going to see more of those throughout the building, and there might be
[03:23.320 --> 03:29.920]  a networked alarm or intrusion detection system. So there's a lot that we can tell just by looking
[03:29.920 --> 03:36.260]  at the front doors. We can zoom in a little bit on the locks, so we can see something like Medeco
[03:36.260 --> 03:41.460]  or Schlage Primus lets us know that they take security a little bit more seriously, as well as
[03:41.460 --> 03:47.300]  an electronic strike plate lets us know that there is an electronic access control system involved.
[03:47.300 --> 03:53.700]  We can look around back and we might see what's happening in terms of things being
[03:53.700 --> 03:58.180]  disposed of, so if there's a dumpster back that tells you that the area is in flux, there's
[03:58.180 --> 04:04.040]  construction going on or something within it. You might see something like a specialized disposal
[04:04.040 --> 04:09.400]  bin, so in this case it's a cooking oil bin that tells us that there is a restaurant inside, and
[04:09.400 --> 04:14.860]  they fairly universally look like this, even if they're not so blatantly labeled. We can find the
[04:14.860 --> 04:21.460]  parking garages, so we know that this one is a full underground garage rather than just a number
[04:21.460 --> 04:27.040]  of vehicles because it starts to slope down. And we can find the ventilation grates near that and
[04:27.040 --> 04:32.420]  see how deep they actually go based on seeing, in this case, the light coming out from two levels
[04:32.420 --> 04:39.700]  down. We can look for the loading docks, and so that'll give us a sense of both where the service
[04:39.700 --> 04:43.980]  entrances and service corridors are going to be within the building, as well as what type of
[04:43.980 --> 04:50.900]  material they actually accept at this particular facility. And then looking around the back,
[04:50.900 --> 04:57.520]  this is a great sign of a site that does not have any alarm system installed on it.
[04:58.580 --> 05:04.460]  So that starts to give us a sense of what all the entrances around the perimeter of the site are
[05:04.460 --> 05:10.760]  going to look like. Now we can switch gears a bit and figure out what happens inside of that
[05:10.760 --> 05:17.960]  building envelope. To do that, we're trying to infer the floor plan of the site, which generally
[05:17.960 --> 05:22.540]  is going to include assignable space, so that's going to be our offices, residences, etc., what
[05:22.540 --> 05:28.320]  people are actually using. Circulation space, such as halls, stairwells, and elevators. And
[05:28.320 --> 05:34.560]  building support space, so washrooms, custodial closets, mechanical space, etc. And by identifying
[05:34.560 --> 05:41.020]  where all of these elements go, we can then help to improve our red team operation with this
[05:41.020 --> 05:47.760]  information before we even begin it. So with that, we can get the best plan for how to get from A to
[05:47.760 --> 05:54.520]  B, and we can then filter that into a timeline. So if, say, we need to go faster than the response
[05:54.520 --> 05:59.800]  is going to be coming in after we've set off an alarm or some other trigger for the response to
[05:59.800 --> 06:04.900]  come, we can use this information to determine if that's going to be feasible. We can figure out
[06:04.900 --> 06:10.140]  where it would make sense to put the cameras and work around that space, as well as we can do a bit
[06:10.140 --> 06:15.300]  of auditory analysis to see where we could be heard and where we can hear other people. And,
[06:15.300 --> 06:19.660]  of course, if we plan to do any social engineering in the space once we enter it, it really helps to
[06:19.660 --> 06:27.080]  know where we're going. So you can get floor plans often from the fire safety plan box, if that
[06:27.080 --> 06:33.560]  happens to be available to you. If not, you can usually do a search online and sometimes get good
[06:33.560 --> 06:40.540]  information there. So searching for a PDF and a number of keywords that I've outlined here that
[06:40.540 --> 06:48.000]  tend to be found in floor plan files online and not in a whole lot else is going to really help
[06:48.000 --> 06:52.780]  narrow down your search to get floor plans there. And if it's a public building, there's usually a
[06:52.780 --> 06:58.860]  tenders website that has loads of plans for it. When we infer floor plans, we're not going to get
[06:58.860 --> 07:05.220]  very detailed diagrams, but we'll get a topology that's good enough for all of these purposes for
[07:05.400 --> 07:10.640]  a red team engagement. The first thing we'll start with to infer floor plans is the massing
[07:10.640 --> 07:18.520]  of the building. So what is its overall shape? We have a primary mass, which is the main shape,
[07:18.520 --> 07:22.620]  anything smaller sticking out of it is called a secondary mass.
[07:23.540 --> 07:29.880]  This then has surrounding it as a skin is the building envelopes, which envelopes the massing.
[07:29.880 --> 07:35.440]  It has doors, such as the doors, loading docks, etc. that we looked at before.
[07:35.620 --> 07:41.640]  Windows, which we'll use the architectural term of fenestration. It would have mechanical equipment,
[07:41.640 --> 07:46.880]  so vents and louvres coming out of it, as well as potentially equipment on the roof and external
[07:46.880 --> 07:51.920]  structural members, all of which are clues to the internal layout. We can get this massing
[07:51.920 --> 07:59.460]  information from Google Maps, often has it for many cities. Many cities also often have their
[07:59.460 --> 08:05.740]  open data releasing this information. We can look at satellite views, as well as local government's
[08:05.740 --> 08:13.200]  open data, and of course taking pictures in person. So from the exterior massing and envelope,
[08:13.200 --> 08:18.860]  how do we determine the floor plan? So here's an example of a very large complicated facility.
[08:18.860 --> 08:23.660]  Looking at it from an aerial view, we can start to see that it is very well
[08:25.440 --> 08:33.140]  set out as a linear layout. So it's branched, but otherwise we can infer, well there's probably
[08:33.140 --> 08:38.340]  going to be a hallway in the center there, with rooms branching off to either side. The size of
[08:38.340 --> 08:43.120]  those rooms is going to be quantized by the positioning of these windows here. And so as it
[08:43.120 --> 08:48.360]  turns out, that's exactly what we see. Hallway in the middle, with rooms quantized by the windows,
[08:48.360 --> 08:53.540]  equal depth on either side. The stairwells, we can start to guess where they are based on where it
[08:53.540 --> 08:59.480]  makes sense, given fire and egress requirements. And the entire facility, we see that that holds
[08:59.480 --> 09:06.700]  true as well, with hallways in the middle, and it very closely follows what we could infer from
[09:06.700 --> 09:13.700]  looking at that external massing. So sometimes we can also get the hall location directly from
[09:13.700 --> 09:18.900]  fenestration or massing. So in this case, we have both windows and a very thin mass element that
[09:18.900 --> 09:23.500]  tells us that the hall must be in the middle here. It's usually in the middle, but not always. So in
[09:23.500 --> 09:30.200]  this case, this bridge tells us that this hall is on the edge. An interesting case study for these
[09:30.200 --> 09:36.980]  long massings, long thin massings, is prisons. So cell blocks tend to be laid out that way.
[09:37.040 --> 09:40.980]  In terms of the inside of them, once you've seen one, you've seen them all. They all pretty much
[09:40.980 --> 09:47.640]  look like this. But there's one interesting aside about prison escapes, and that is that every prison
[09:47.640 --> 09:53.600]  needs to have a lavatory in it, and every lavatory needs to have plumbing, and that plumbing has to
[09:53.600 --> 10:00.460]  get out somewhere. And so that will usually be in a crawlspace, and in older prisons it will often
[10:00.460 --> 10:07.000]  be in a fully-fledged service tunnel that already exists, and that must therefore be connected
[10:07.520 --> 10:12.520]  through a wall from the cells. So when you hear about people tunneling out of prisons,
[10:12.520 --> 10:16.440]  you think, well that's a very daunting task. They don't actually have to go very far,
[10:16.440 --> 10:22.480]  just a couple inches of brick or concrete or whatever it might be, to get to the crawlspace
[10:22.480 --> 10:28.080]  where the plumbing gets out. We can use this, when we're not trying to break out of a prison,
[10:28.080 --> 10:33.940]  to determine where washrooms are in a facility before we ever set foot in it. So washrooms need
[10:33.940 --> 10:39.380]  plumbing, and multi-story plumbing needs pipe riser shafts. So you tend to see the washrooms
[10:39.380 --> 10:45.360]  are in the same place on every floor, so that the plumbing can be collinear in that regard.
[10:45.520 --> 10:50.420]  Pipe riser shafts usually end in mechanical equipment at the top of the building, and so by
[10:50.420 --> 10:56.580]  seeing this mechanical penthouse jutting out on the roof, we can infer that the pipe riser shafts
[10:56.580 --> 11:02.820]  are under it, as likely are the washrooms. So in this particular example, we have this
[11:03.060 --> 11:07.920]  t-shaped building, and we can infer that there's going to be likely a t-shaped hallway in the
[11:07.920 --> 11:14.080]  middle. If we did a bit more research, we determined that this was a long-term care home, and so given
[11:14.080 --> 11:20.920]  the dimensions of this building, that would be abnormally large for the suites to extend right
[11:20.920 --> 11:27.920]  the way to the center. So we might infer that there's going to be two hallways per wing,
[11:27.920 --> 11:34.240]  and support space in the middle, as a building or a facility of this type would need a lot of
[11:34.240 --> 11:40.120]  support space. We can also see this large vertical window here, indicating some sort of large common
[11:40.120 --> 11:46.220]  room in this area on every floor. Looking at the floor plan, that is what we find. So we have this
[11:46.220 --> 11:53.180]  large common room where the window was, as well as suites around the edges, and a loop of hallways in
[11:53.180 --> 11:59.260]  each wing, and then support space in the center, including stairs on each of the three wings. It
[11:59.260 --> 12:05.160]  makes sense for egress purposes that they would be located there, and central elevators. High rises
[12:05.860 --> 12:11.540]  are a lot easier to determine what the layout is, because they're relatively small horizontally,
[12:11.540 --> 12:17.000]  and there's a number of things that are often stacked. So they're the same place, floor to
[12:17.000 --> 12:22.000]  floor to floor. Obviously elevators, structural columns, and stairwells, that makes sense.
[12:22.040 --> 12:28.140]  Washrooms need their pipe space behind toilets, so in this case the pipe space is here, but it's nearby
[12:28.140 --> 12:34.520]  to it. Telecom closets, electrical closets, pipe shafts, mechanical rooms, and vents, all of which
[12:34.520 --> 12:40.740]  have vertical risers that ensure that they tend to be vertically stacked. What this gives rise to
[12:40.740 --> 12:46.240]  is generally you have a central core that's going to contain all of these building support elements.
[12:46.240 --> 12:53.400]  So your mechanical room, washrooms, stairs, elevators. Here we can see in this diagram that
[12:53.940 --> 12:59.340]  pipe space behind the toilets there, and that's the reason that's stacked. And that also makes
[12:59.340 --> 13:05.060]  sense to use this space that's very far from the windows where people like to occupy for
[13:05.060 --> 13:11.680]  these central core elements, and then let people occupy the outside. This indicates the column grid
[13:11.680 --> 13:17.020]  here, so this might be partitioned by the final user of the space, and those partitions are
[13:17.020 --> 13:22.760]  generally going to follow the column grid some way or another. It also makes sense for egress
[13:22.760 --> 13:28.160]  purposes to have the stairwells and elevators in the central core, because it's about equidistant
[13:28.160 --> 13:35.000]  from everything in that floor. Most high rises have entire floors dedicated to mechanical
[13:35.000 --> 13:41.480]  equipment, and we can locate them by noticing very clear differences in the fenestration. So
[13:41.480 --> 13:47.940]  instead of windows it's mechanical vent louvres. If we see the top level of fenestration is well
[13:47.940 --> 13:51.820]  below the roof level, that indicates that there's a mechanical penthouse at the top,
[13:51.820 --> 13:56.980]  and there's also often mechanical basements or partial basements that are going to house
[13:56.980 --> 14:02.820]  that equipment. So in this particular case we see a number of mechanical penthouses well concealed
[14:02.820 --> 14:07.860]  within the architecture of the building, and in this case we see loads where the fenestration
[14:07.860 --> 14:12.400]  doesn't extend all the way up to the roof, and that indicates that that's what's going on there.
[14:12.760 --> 14:17.360]  We can also do a bit of math, so we can get the height of the building either by public records,
[14:17.360 --> 14:24.380]  as many of them are, or we can measure it fairly simply with simple trigonometry and
[14:24.380 --> 14:28.920]  angle measurements. With the height of the building, counting the floors, we can then
[14:28.920 --> 14:33.340]  determine what the average floor height is, and that gives us a sense of both what the occupancy
[14:33.340 --> 14:39.580]  is, what the usage is, as well as where the mechanical equipment will go. So very very tall
[14:39.580 --> 14:46.140]  floors will likely have false ceilings or false floors, and that does affect our ability to bypass
[14:46.140 --> 14:50.780]  in certain ways, since we know we can get into places through the ceiling or the floor if that
[14:50.780 --> 14:58.880]  exists. And then shorter ones are then going to have mechanical corridors instead, and they'll
[14:58.880 --> 15:04.500]  tend to be smaller with a central core housing that mechanical equipment. In terms of high-rise
[15:04.500 --> 15:11.760]  residential, it's not nearly as open as an office floor plan. It's going to be set up into separate
[15:11.760 --> 15:17.640]  suites, but they're going to follow a central core as well, housing the stairs, elevators,
[15:17.640 --> 15:24.820]  and building support systems. And it will tend to have a ring-shaped or u-shaped corridor
[15:25.460 --> 15:30.840]  for circulation space to give access to all of those units. And so in this particular case, we
[15:30.840 --> 15:36.380]  see a slightly abnormally shaped building, but stairs, elevators, support space in the center
[15:36.380 --> 15:44.320]  with a ring-shaped corridor following that general outer perimeter. In terms of identifying where in
[15:44.320 --> 15:49.760]  the core each things are positioned relative to one another, and in a larger building where these
[15:49.760 --> 15:55.180]  elements are in general, we can sometimes look at the parking garage. So right away we can see where
[15:55.180 --> 15:59.400]  the structural columns are, and that's going to extend all the way up the building. We can find
[15:59.400 --> 16:08.100]  where the elevator banks are. We can find where the telecom riser shafts and pipe riser shafts are
[16:08.100 --> 16:12.920]  by the location of mechanical rooms in the basement. So in this case, security system room
[16:12.920 --> 16:22.440]  is very likely going to be located very close to the telecom riser shaft. And that we'll notice
[16:22.440 --> 16:26.800]  is right beside the elevator lobby, which makes sense in the high rise that's going to be above
[16:26.800 --> 16:33.400]  this. The elevator and the riser shafts and all this other building support space is going to be
[16:33.400 --> 16:38.800]  in the central core, so it will be close to one another in the parking garage. Of course, we can
[16:38.800 --> 16:45.480]  identify stairs as well. In older buildings, the stairs tend to be located on the outside of the
[16:45.480 --> 16:50.400]  building, and so we can identify those using a number of tricks. Sometimes you can just see the
[16:50.400 --> 16:57.180]  stairs very clearly. Stairs tend to have egress doors at the bottom of them, since they are
[16:57.180 --> 17:02.860]  provided for egress purposes as well. And when you look at the building at night, if there's one
[17:02.860 --> 17:07.520]  column of windows that's entirely lit up, that is usually a stairwell, because it needs to be lit
[17:07.520 --> 17:14.540]  for egress purposes. Here's an example of the stairwell being unfenestrated. It's this
[17:15.160 --> 17:20.800]  secondary mass that runs along the side of the building. A cue that it's a stairwell... well, one
[17:20.800 --> 17:29.300]  is its general dimensions. This makes sense for being a stairwell, as well as extends up onto the
[17:29.300 --> 17:33.920]  roof level of the building. So this is likely a stairwell that goes up and opens up onto the roof,
[17:33.920 --> 17:38.720]  indicating that that is likely what that is. And then we also have some cell towers on this
[17:38.720 --> 17:44.940]  building. Stairwells that are fenestrated, we can tell what they are from the fenestration. So if we
[17:44.940 --> 17:50.040]  see windows that are halfway between the regular floor heights, it's a very good indication that
[17:50.040 --> 17:55.380]  that's a landing on a stairwell. In this case, we have windows zigzagging up the building,
[17:55.380 --> 18:01.400]  and that's likely going to be following stairs that are zigzagging up, landing to landing. We
[18:01.400 --> 18:06.440]  also see that this is a secondary mass sticking out of the building, and it sticks up at the top,
[18:06.440 --> 18:11.480]  creating a little exit onto the roof from the top of that stairwell. And it makes perfect sense
[18:11.480 --> 18:17.040]  that that's located where it is, relative to how these windows are laid out. In this particular
[18:17.040 --> 18:22.020]  case, we have windows that are not aligned with the rest of the windows in the building. This is
[18:22.160 --> 18:27.280]  a residential building. You can tell based on the litness, or how lit the windows are, what that
[18:27.280 --> 18:32.960]  pattern is. And on this column of everything lit with the exact same intensity, that's got to be a
[18:32.960 --> 18:39.360]  stairwell. And here's another example of these half-height windows, indicating this is a stairwell
[18:39.900 --> 18:45.160]  terminating in a door at the bottom, and it's a column of lit windows. So that's very clearly what
[18:45.160 --> 18:50.600]  that is in this case. Where there's a fire escape, we can tell that there's likely no stairwell
[18:50.600 --> 18:56.500]  near it. That's about all we can tell, because they are retrofits. If there's multiple exit doors,
[18:56.500 --> 19:01.360]  and the exit doors are only cued as to where the stairwell is, it might also be to a hallway.
[19:01.360 --> 19:05.380]  We can tell which one's the primary exit door by looking at some safety features.
[19:05.440 --> 19:12.460]  So this light up here, to provide illumination to people exiting, as well as we have a parking
[19:12.460 --> 19:18.000]  lot there, so we have some vehicle ballers to protect pedestrians exiting from being rammed
[19:18.000 --> 19:23.460]  into by vehicles parking, indicates that this is the primary door. And these are likely mechanical
[19:23.460 --> 19:31.320]  doors. That's helped along by the fact that this vent loop exists there. So in this case, looking at
[19:31.320 --> 19:36.620]  this building, can we tell if it's an office building or residential? Based on the pattern of
[19:36.620 --> 19:42.620]  lighting in the windows, we can tell that it is almost certainly an office building, with the
[19:42.620 --> 19:50.570]  lower floors lit, the upper floors likely on timers, and not lit up. We can tell where the
[19:50.570 --> 19:57.010]  elevators are by looking for the associated machinery that goes with them. A hydraulic
[19:57.010 --> 20:03.130]  elevator, they tend to be shorter because there's a hydraulic ram that goes as deep into the ground
[20:03.130 --> 20:11.310]  as the elevator is tall, and so they can't go very high. And as well, they don't tend to show up in
[20:11.310 --> 20:16.990]  very old buildings because they're a newer technology. Every other type of elevator, and
[20:16.990 --> 20:22.530]  most of them are this second type, which is a traction elevator. So they're the typical ones
[20:22.530 --> 20:29.230]  that are hanging off of a cable. And they require a machine room at the top, with some exceptions,
[20:29.230 --> 20:35.710]  but they're rare. That machine room needs to be sticking out above the top level that the elevator
[20:35.710 --> 20:42.510]  serves. So if the windows go all the way up to the top level, all the way up to the roof, we can see
[20:42.510 --> 20:47.850]  that if the elevator is going to serve that top level, it's going to need an elevator penthouse
[20:47.850 --> 20:55.290]  extending out, excuse me, onto the roof. And that's what we see here. We see three elements,
[20:55.290 --> 21:00.170]  three secondary masses extending onto the roof. This central one makes sense to be the elevator,
[21:00.170 --> 21:05.090]  both based on the size, if we compare it to these vehicles down here, as well as the positioning
[21:05.090 --> 21:11.430]  relative to the main entrance to this building. And these secondary masses on the side are likely
[21:11.430 --> 21:18.590]  where the stairwells are coming out, exiting onto the roof. Another couple examples, we can see
[21:18.590 --> 21:23.330]  an elevator penthouse up here, indicating that's likely where the elevator is. In a building of
[21:23.330 --> 21:27.970]  this age and height, it's unlikely to be a hydraulic elevator. And here we can see the
[21:27.970 --> 21:33.010]  elevator directly exiting out the back, and this very likely is a hydraulic elevator.
[21:33.630 --> 21:39.010]  In this case, we can point out the stairwell very quickly by this column of lit windows.
[21:39.010 --> 21:43.350]  There's likely going to be one on the other side of the building as well. And we can infer the rest
[21:43.350 --> 21:48.590]  of the floor plan by noting that there are two balconies per side. Each balcony is partitioned
[21:48.590 --> 21:53.590]  into two, so eight units per side, or four units per side, eight per floor. So there's going to be
[21:53.590 --> 21:59.190]  four more on the other side. We can see this mechanical penthouse only covers part of the
[21:59.190 --> 22:03.610]  building's roof, so the elevator's got to be in the central core, which makes sense for circulation
[22:03.610 --> 22:12.510]  purposes. And we can tell that this building is likely symmetrical all around. Utilities are also
[22:12.510 --> 22:19.110]  very helpful for us to determine what a building's used for, what its occupancy is, and where things
[22:19.110 --> 22:25.290]  are within it. So here's an example. We can see this particular box coming out is a remote meter
[22:25.290 --> 22:33.030]  reader. It's for water, so the water meter reader can go and tap an electronic device onto this to
[22:33.030 --> 22:37.890]  read the meter. And that tells us that this is a mechanical room down here that it goes into.
[22:37.890 --> 22:44.090]  Here's another example where we have both that box as well as the gas meter leading into that.
[22:44.150 --> 22:47.490]  And looking into this grate, it's a bit hard to see in this picture, but there is a vent
[22:47.490 --> 22:52.970]  louvre there, further indicating that that is a mechanical room down there. In this case,
[22:52.970 --> 22:59.030]  we can spot the mech rooms by looking at what we can see, pipes directly in this room. We can see
[22:59.030 --> 23:04.230]  the fire stand pipe coming out of it, so it tells us something about the size of that mechanical room.
[23:04.410 --> 23:08.750]  On the second floor, we can tell that there is none here, because we can see in the windows.
[23:08.750 --> 23:12.650]  And on the third floor, there likely is a mechanical room up here, based on this louvre
[23:12.650 --> 23:17.990]  and the lack of windows. And of course, there's likely going to be some pipe shaft connecting this
[23:17.990 --> 23:22.610]  first and third floor mechanical room, recessed somewhat into the building, because we know it's
[23:22.610 --> 23:29.210]  on the edge. We can look at incoming telephone utilities to determine the occupancy of the
[23:29.210 --> 23:34.410]  building. So a cable coming up from an underground conduit, in this case, we can look at it and see
[23:34.410 --> 23:40.990]  that it, by its diameter, is about a 50 pair copper cable. So this building had a design maximum of 50
[23:40.990 --> 23:46.410]  phone lines in the building, and that's going to estimate the occupancy. We can also look at where
[23:46.410 --> 23:51.270]  the phone lines split up to, if they split up into separate units, to identify what the units are.
[23:51.270 --> 23:55.750]  So we can see a phone line coming along here, entering the building at this point.
[23:55.850 --> 24:00.250]  It's a little hard to see, but there is a line swinging up there and entering at this point.
[24:00.250 --> 24:07.010]  And then there's one along the side here, entering at that point. So from where these phone lines are
[24:07.010 --> 24:12.390]  entering the building, we can identify where the units are. That, combined with the fenestration,
[24:12.390 --> 24:17.690]  will give us a very good sense of what the internal partitioning of the walls is going to look like.
[24:17.690 --> 24:21.950]  Here's an interesting case that gives us a sense of the history of the building. We see
[24:22.570 --> 24:28.830]  a whole rat's nest of phone lines all going to the same place. What likely happened there is
[24:28.830 --> 24:35.870]  this is a rental building, and it changed hands many times throughout its life. And every time
[24:35.870 --> 24:40.650]  it did, a new phone line was installed, and the techs were lazy and just added a new one
[24:40.650 --> 24:46.510]  without removing the old one. So that's likely why we see this pattern here. And so that tells
[24:46.510 --> 24:51.310]  us something about what happens within the building. We can also look at heating, ventilation,
[24:51.310 --> 24:56.690]  and air conditioning. So in older buildings, these tend to be external units, visible, and we can look
[24:56.690 --> 25:02.550]  at what their capacity is to get a sense of what the internal capacity of the building is. In newer
[25:02.550 --> 25:08.470]  buildings, we have cooling towers on the roof, and those are going to have a certain capacity, feeding
[25:08.470 --> 25:14.610]  chillers on the inside that are going to then cool a water ethylene glycol mixture down to what it
[25:14.610 --> 25:20.050]  needs to cool the rest of the building and operate the HVAC systems. We can also look for specialty
[25:20.050 --> 25:25.430]  HVAC equipment. So if you see something like this, kind of looking like jet engines on the top,
[25:25.430 --> 25:31.850]  that's for creating an extreme negative pressure, generally to drive fume hoods or other chemical
[25:31.850 --> 25:39.110]  exhaust disposal systems. And so if you see those, that indicates that that's going on in the building.
[25:39.110 --> 25:44.690]  If you see fans like this, which operate on a similar principle but lower pressure,
[25:44.690 --> 25:51.190]  these are highly associated with cooking spaces. So here we have an axial fan. This is common to
[25:51.190 --> 25:58.090]  see over restaurant spaces. And here we have a centrifugal fan that pulls up from a vent here,
[25:58.090 --> 26:03.870]  indicating that there is likely a restaurant in this location as well. And in this particular case,
[26:03.870 --> 26:09.010]  we have a large industrial dust collector system, indicating that there's a machine shop
[26:09.010 --> 26:15.150]  or some sort of industrial fabrication system going on in this building. We can look at the
[26:15.150 --> 26:21.030]  incoming power. If we have pad mount transformers on the outside, we can look up the capacity of
[26:21.030 --> 26:26.350]  those transformers to figure out what the power requirements are inside that building. And if it's
[26:26.650 --> 26:32.670]  a volt transformer, we can see if it's a double or a single, giving us a sense again of the capacity
[26:32.670 --> 26:38.550]  to a bit less granularity. Kind of an interesting aside about how those are actually maintained.
[26:38.850 --> 26:45.830]  These concrete slabs at the top of them are crane lifted up, and then we can crane lift in and out
[26:45.830 --> 26:51.950]  new transformers to maintain those. So that's kind of interesting how that works. These all look
[26:51.950 --> 26:58.710]  similar to this, with an access hatch and a vent, since transformers do need to be vented or cooled
[26:58.710 --> 27:03.310]  in some way, as well as these crane liftable concrete slabs. So now that you know what these
[27:03.310 --> 27:09.470]  look like, you will start seeing them everywhere in urban settings. Inside of them we have power
[27:09.470 --> 27:16.410]  coming from the underground duct bank, and it then goes in a separate conduit to the basement of the
[27:16.410 --> 27:22.130]  customer's building. And so that gives us a sense, based on the positioning of the hydrovolts, where
[27:22.680 --> 27:29.190]  that customer's basement mechanical room is going to be positioned. If they have
[27:29.590 --> 27:33.910]  a standby generator, they look something like this. Of course we can't see that from the outside,
[27:33.910 --> 27:39.330]  but that does indicate, if it's present, that it's a highly critical facility that's doing something
[27:39.330 --> 27:46.290]  with high importance, if it doesn't get interrupted. We can tell the presence of that
[27:46.290 --> 27:51.450]  by looking for these diesel fuel refilling stations. They look like this on the inside,
[27:51.450 --> 27:55.970]  it's just a pipe that you dump the diesel fuel into, but if you see that, it indicates not only
[27:55.970 --> 28:03.110]  where the diesel standby generator is, but also that one exists in that facility. Looking at the
[28:03.110 --> 28:08.210]  meters gives you a sense of how many separate units are being metered in that particular site.
[28:08.210 --> 28:13.090]  So in this case, we have a tack of the gas meters here, and we can count these, and that's exactly
[28:13.090 --> 28:19.630]  how many separate metered units exist within this building. If we see something like this on the
[28:19.630 --> 28:26.550]  ground, it's a groundwater test well, and so they're going to dig down and essentially leave
[28:26.690 --> 28:32.750]  a pipe, a well, and they can test whenever they need to how deep that groundwater actually is.
[28:32.770 --> 28:38.310]  That could be used for flood prevention, but you also see this happening anytime there is new
[28:38.310 --> 28:43.810]  construction planned that's going to involve excavation. So if you see this and it's not in
[28:43.910 --> 28:49.850]  a floodplain, that likely indicates deep construction is being planned. We can also
[28:49.850 --> 28:55.970]  get a sense from the security features what might be happening inside of a building.
[28:55.970 --> 29:04.950]  So in this particular case, we have vehicle ram bollards here, fairly beefy, as well as very bright
[29:04.950 --> 29:11.010]  glare lighting. These vehicle bollards are to protect from vehicle impact attacks, as well as
[29:11.010 --> 29:16.330]  truck-mounted bombs. If this particular facility has that in its threat model, it gives you a good
[29:16.330 --> 29:21.430]  sense that whatever's going on in there must be fairly serious. As a bonus here, we have these
[29:21.430 --> 29:26.990]  half-height windows indicating a stairwell, and this lack of fenestration here indicates that
[29:26.990 --> 29:33.450]  there's very likely an elevator shaft there, possibly with a little window vent in the penthouse
[29:33.450 --> 29:43.350]  at the top here. So looking at the fenestration in this particular case study, we see a weird pattern.
[29:43.350 --> 29:48.370]  We can tell immediately that there's going to be a basement suite there, so likely from this
[29:48.970 --> 29:54.950]  entrance door there's going to be some stairs up to a fairly tall first floor. When we have a tall
[29:54.950 --> 30:00.490]  floor, the rooms tend not to be partitioned very small, so it's likely either a large open event
[30:00.490 --> 30:08.970]  space or a number of larger rooms within that. Anytime we see a strange looking fenestration
[30:08.970 --> 30:15.750]  pattern, like in this case, we can infer that that's certainly because of whatever requirements
[30:15.750 --> 30:22.490]  the inside of this building has for its layout. Here's a really great example. So we have this
[30:22.490 --> 30:29.310]  L-shaped building, immediately gives us a sense of the circulation layout within it. We can see the
[30:29.310 --> 30:35.830]  elevator penthouse here, as well as a chimney stack indicating that the boiler house is going to be
[30:35.830 --> 30:44.090]  below that. We can see that the boiler house is indeed spanning floors three and four here, and
[30:44.090 --> 30:52.470]  the entire central core supporting this building's utilities is going to be located near there as
[30:52.470 --> 30:58.090]  well by looking at the roof and what exists on the roof. We can also see this framing here that used
[30:58.090 --> 31:04.010]  to support some heavy HVAC unit. It's going to be anchored on the columns of the building, and
[31:04.010 --> 31:10.310]  those columns line up with the breaks in the fenestration alongside of this building. So from
[31:10.310 --> 31:15.670]  this and from the fenestration, we can actually infer the entire structural diagram of this
[31:15.670 --> 31:22.210]  particular building. So that was sort of a whirlwind tour. If you're interested in this sort
[31:22.210 --> 31:27.510]  of thing and would like to see a little bit more of the details of how these things are
[31:28.130 --> 31:33.690]  are done, I encourage you to check out my Hope Talk as well. But this now gives us a great
[31:33.690 --> 31:39.670]  opportunity to have some Q&A, chat about this, chat about some interesting cases that you've seen
[31:39.670 --> 31:46.130]  in your life, and see what else we can infer from these types of tricks. So I'm hoping that this
[31:46.130 --> 31:50.590]  will make you more situationally aware in your everyday life, look at your built infrastructure
[31:50.590 --> 31:55.870]  differently, and when you're going to an unfamiliar building, know where you're going. I'd like to
[31:55.870 --> 32:00.530]  extend a huge thank you to Kara and Bobby, Josh, and Eric for their help in preparing this talk,
[32:00.530 --> 32:06.850]  and I'd be happy to take any questions and start the discussion on this. Thank you very much folks.
